Plash: tools for practical least privilege


Running GUI applications

Running Leafpad (a simple text editor)

Leafpad is a simple text editor that uses Gtk. You can run it to use the powerbox with a shell script such as:
pola-run --prog /usr/bin/leafpad \
  -B -fl /etc \
  --env LD_PRELOAD=$PB_SO -f $PB_SO \
  --x11 --powerbox --pet-name "Leafpad"
"-B" grants access to /usr, /bin and /lib. On my Debian system, it is necessary to include /etc/ in Leafpad's namespace, otherwise it will not link (it won't find the X libraries in /usr/X11R6/lib). This is why we do "-fl /etc". Perhaps "-fl /etc/" would do instead. Leafpad does not need any configuration files from your home directory. Since we can use the powerbox to grant Leafpad access to files to be edited, we don't initially need to grant it access to anything from your home directory.

Running Gnumeric

Gnumeric is a spreadsheet application, written in C, which uses Gtk. Here is one way to run Gnumeric so that it uses the powerbox:

rm -rv tmp/gnumeric
mkdir -p tmp/gnumeric


pola-run \
  --prog /usr/bin/gnumeric \
  -B -fl /etc \
  -tw /tmp tmp/gnumeric \
  -tw $HOME tmp/gnumeric \
  -fw /dev/urandom -fw /dev/log -f /var/lib/defoma \
  --env LD_PRELOAD=$PB_SO -f $PB_SO \
  --x11 --powerbox --pet-name "Gnumeric"
Gnumeric requires a number of configuration directories to exist (inside the user's home directory). If they don't exist, it tries to create them, and exits if it can't. In this example, we substitute a temporary directory (tmp/gnumeric) for our real home directory, using "-tw $HOME tmp/gnumeric". This ensures that Gnumeric runs cleanly, from scratch, without picking up existing configuration files from previous runs (which, of course, may not be what you want). Gnumeric launches gconfd (a service which deals with configuration files). Usually this process gets shared between GNOME applications. In this case, we want to isolate Gnumeric, so that it has its own instance of gconfd. The sharing works by creating shared sockets inside /tmp, so we disable sharing by giving Gnumeric its own private instance of /tmp (which we map to tmp/gnumeric).

Running Inkscape

Inkscape is a vector graphics application which uses Gtk. It is quite complex. It seems to be written in C, and it deals with complex vector image file formats (e.g. SVG), so it may well have buffer overrun bugs. If you run Inkscape on an SVG file downloaded from the Internet, it could be a malicious file that exploits a bug, so it's worth sandboxing Inkscape. Running Inkscape is similar to running Leafpad:
pola-run --prog /usr/bin/inkscape \
  -B -fl /etc \
  -f /proc \
  --env LD_PRELOAD=$PB_SO -f $PB_SO \
  --x11 --powerbox --pet-name "Inkscape"
One difference from before is "-f /proc". Inkscape reads "/proc/stat" and "/proc/self/stat" -- perhaps something to do with the garbage collection library it uses -- and it exits if these are not available. So we grant access to "/proc"; however, this is not a great idea and it should be reviewed because it might reveal sensitive information. Note that granting access to "/proc/self" will not actually work under Plash, because the Linux kernel treats it specially: the information Linux returns from it depends on the PID of the process that is asking. When running under Plash, a server process asks on behalf of the application process.

Running command line programs

Running gcc

The following invocation:
gcc -c code.c -o code.o
can be changed to:
pola-run --prog /usr/bin/gcc \
  -a=-c -fa code.c -a=-o -faw code.o \
  -B -f .

Running rpm to build a package as a non-root user

pola-run --prog /usr/bin/rpm -B -f /etc \
  -a=-bb \
  -tal /stuff/plash.spec ../plash.spec \
  -f ~/projects/plash \
  -fl ~/projects/plash/glibc \
  -f ~/projects-source/plash \
  -t  /usr/src/rpm/SOURCES/plash-$PLASH_VERSION.tar.gz plash-$PLASH_VERSION.tar.gz \
  -tw /usr/src/rpm/BUILD build \
  -tw /usr/src/rpm/RPMS/i386 out \
  -tw /var/tmp tmp

Running servers

Running a webmail server

pola-run \
  --prog -f \
  -f \
  -fl ~/Mail \
  -fw mail-db \
  -fw /tmp \
  -f /etc/protocols \
  -f /etc/hosts \
  -t /lib           /debian/lib \
  -t /usr/bin       /debian/usr/bin \
  -t /usr/share     /debian/usr/share \
  -t /usr/lib/perl5 /debian/usr/lib/perl5 \
  -t /usr/lib/perl  /debian/usr/lib/perl \
  -f /usr/lib/plash \
  -f ~/projects/sparkymail --log